Karen Scarfone's Publications and Blog

Here are links to my online publications and blog posts! Sign up to get a weekly email update when I release a new pub or blog post. 

Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings

This document describes NIST’s approach to mapping the elements of documentary standards, regulations, frameworks, and guidelines to a particular NIST publication, such as CSF Subcategories or SP 800-53r5 controls. This approach is to be used to map relationships involving NIST cybersecurity and privacy publications that will be submitted via the NIST OLIR process and hosted on CPRT.

SP 1800-37, Addressing Visibility Challenges with TLS 1.3 within the Enterprise

The NCCoE is demonstrating options for maintaining visibility within the TLS 1.3 protocol within an enterprise. The project demonstrates several standards-compliant architectural options for use within enterprises to provide both real-time and post-facto systems monitoring and analytics capabilities. This publication describes the approach, architecture, and security characteristics for the demonstrated proofs of concept.

SP 800-221A, Information and Communications Technology Risk Outcomes

Information and Communications Technology (ICT) spans all tools, devices, data, infrastructure, and components and it’s a broad concept that continues to evolve. This publication provides desired outcomes and applicable references common across all types of ICT risk; it offers a common language for understanding, managing, and expressing ICT risk to internal and external stakeholders and can help identify and prioritize actions to reduce ICT risk. The core of this publication can be browsed and downloaded in popular formats such as JSON and Excel using the NIST Cybersecurity and Privacy Tool (CPRT).

SP 800-221, Enterprise Impact of Information and Communications Technology Risk

Information and Communications Technology (ICT) spans all tools, devices, data, infrastructure, and components and it’s a broad concept that continues to evolve. This publication helps in understanding the relationship between ICT risk management and ERM—and the benefits of integrating those approaches. This includes ICT risk guidance on how all ICT risk programs, including individual programs such as privacy, supply chain, and cybersecurity, integrate into ERM.

Data Classification Concepts and Considerations for Improving Data Protection

Data classification is the process an organization uses to characterize its data assets using persistent labels so those assets can be managed properly. This publication defines basic terminology and explains fundamental concepts in data classification so there is a common language for all to use. It can also help organizations improve the quality and efficiency of their data protection approaches by becoming more aware of data classification considerations and taking them into account in business and mission use cases, such as secure data sharing, compliance reporting and monitoring, ZTA, and LLMs.

Improved Cybersecurity Logging Gives Agencies Better Network Visibility

Each agency should use logging in conjunction with various tools for finding vulnerabilities on each of its IP network-connected technology assets, including missing patches, outdated software versions in need of upgrading, and misconfigured software and services. Most agencies will need to use several tools in combination to achieve the necessary visibility for all of their assets, no matter where each asset is located at any time. Let’s take a closer look at some of these tools.
Load More